《接入交换机综合安全配置基线(H3C 适用)》模板

yxbinghe Daily, H3C

(Core–Access–终端/傻瓜交换机),适用于 防环路、防DHCP欺骗、防MAC泛洪、端口控制 等综合防护场景。
⚙️ 一、系统全局配置

system-view
#

=== 基础安全配置 ===

undo info-center enable # 关闭不必要的日志广播
mac-address max-mac-count 8192 # 限制MAC学习表规模
#

=== 防止环路广播风暴 ===

vlan 224
name LBD-DETECT
#
loopback-detection global enable vlan 224
loopback-detection global action shutdown
#

=== 启用DHCP监听(防伪DHCP) ===

dhcp-snooping
dhcp-snooping enable vlan 42 48 # 监控业务VLAN
#

=== 启用日志与Trap告警 ===

info-center enable
snmp-agent trap enable

🧱 二、上联口配置(到汇聚/Core)
interface Ten-GigabitEthernet1/0/48
description Uplink-to-Core
port link-type trunk
port trunk permit vlan 1 42 48
port trunk pvid vlan 1
dhcp-snooping trust # 允许DHCP报文通过(上联必须信任)
storm-constrain enable # 启用风暴抑制
storm-constrain broadcast 5 # 广播流量阈值5%
storm-constrain multicast 5
storm-constrain unicast 10
loopback-detection enable vlan 224

🧩 三、下联用户口配置(接终端/傻瓜交换机)
interface range GigabitEthernet1/0/1 to 1/0/24
description USER-ACCESS
port link-type access
port access vlan 42
loopback-detection enable vlan 224
port-security enable
port-security mac-address max 2 # 限制最多2台设备
port-security intrusion-mode shutdown # 超限自动关闭
storm-constrain enable
storm-constrain broadcast 1
storm-constrain multicast 1
storm-constrain unicast 5
dhcp-snooping trust disable
🧰 四、异常恢复命令
查看环路状态

display loopback-detection

恢复被 shutdown 的端口

interface GigabitEthernet1/0/5
undo shutdown

查看 DHCP Snooping 绑定表

display dhcp-snooping binding

查看端口安全状态

display port-security interface GigabitEthernet1/0/5

🧠 五、推荐监控策略
SNMP告警:将 loopback-detectionport-security trap 发送至网络监控系统;

Syslog集中:统一日志服务器收集 shutdown 告警;

定期清理绑定表
reset dhcp-snooping binding

版权声明:
作者:yxbinghe
链接:https://www.zhanhao.ch/?p=606
来源:ice.99
文章版权归作者所有,未经允许请勿转载。

THE END
分享
二维码
< <上一篇
下一篇>>